Agencies discuss the realities of CDM rollout
- By Sara Friedman
When it comes to implementing tools from the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program, it can be a challenge for large agencies to figure out where to start.
The Department of Energy, for example, provides cybersecurity support for 17 national labs across the country that have different missions and needs.
“We are working on rolling out an enterprise cyber risk management framework that isn’t just a policy on the shelf,” Micah Czigan, director of DOE’s Integrated Joint Cybersecurity Coordination Center, said at the Nov. 1 FCW Big Issues Conference. “It is integrated into all parts of the program, realizing that the enemy isn’t a hacker in the basement but nation-states that are already in our networks. “
“We need to get all of our components and site information into one single dashboard at a single location, which we can feed back into the enterprise,” Czigan said. “We are trying to understand how all of the pieces of CDM fit into the overall cybersecurity strategy and enhance our ability to root out the attacker.”
At NASA, Willie Crenshaw, program executive for CDM and risk management, said he hopes that the move into CDM will help to “minimize the damage” from attacks and prevent “catastrophic things from happening.”
“As you start to get a better vision into your systems, you can start maneuvering more to solve problems,” Crenshaw said. “Teams can be put together with the correct mindset in place.”
Through NASA efforts like the System for Administration, Training, Educational Resources program, Crenshaw’s team is working to bring in training tools for cybersecurity and risk management that can help to cultivate that correct mindset.
Being able to adjust to the context is key, he said. NASA, for example, has research agreements to share information with other countries that may not be U.S. allies, which can create security issues when it comes to sharing research.
“Scientists are not necessarily worried about cybersecurity because they just want to get the information out,” Crenshaw said. “We need to show them that we want to protect their data by taking an interest in their work" and helping them work securely.
DHS is now planning for the next two phases of the CDM program.
Phase 1 focused on determining agencies' attack surface through their reporting on hardware, software, configuration settings and vulnerability management. However, CDM Program Manager Kevin Cox said agencies were underreporting their attack surfaces at “around the 70 percent level,” which made it difficult for them to gain “day-after-day visibility for patching” and risk management.
Phase 2 of CDM focuses on how users access networks. Phase 3 will pull all of this information into a master dashboard for agencies to monitor their traffic and network activities.
The dashboards will create a way for agencies to see device, user and incident records to get a better idea of network penetration and tag areas of concern.
“There is still a lot of work that needs to be done to give agencies the ability to understand how their data is protected,” Cox said. “Ultimately, we want to get into incident response optimization.”
Work is also underway to extend CDM into the cloud and mobile environments, but Cox said agencies should not expect the same method of threat detection for each level of security. For example, mobile devices provided by agencies are connected through device management systems to monitor activity.
“We want to create a marketplace of ideas to meet these CDM requirements,” Cox said. “With Phase 1 and 2, we realized that agency uptake was not immediate, so we need to communicate a way to ensure all requirements can be met," he said, but the approach will differ depending on agency solutions or product lists.